Sniffers Overview

Sniffers can listen for and record any raw data that passes through, over, or by a physical (hardware) network interface. They operate at a very low level (that is, as a kernel or OS-level application) so that they can communicate directly with the network interface in a language it understands. For example, a sniffer can tell an Ethernet network interface card (NIC) to send it a copy of every single Ethernet frame that arrives on the interface, regardless of what it is or where it’s going.

Because it operates on the Data Link layer of the OSI model, the sniffer doesn’t have to play by the rules of any higher-level protocols. It bypasses the filtering mechanisms (addresses, ports, messages, and so on) that the Ethernet drivers and TCP/IP stack use when interpreting data that comes in “on the wire.” The sniffer grabs anything off the wire. It can store those Ethernet frames in binary format and then later decode them to uncover the higher-level information hidden inside.

As with many other security tools, sniffers have acquired a kind of mystical quality. Everyone’s heard of them and is aware of their power, but many people outside the network security community think that sniffers are black magic used only by hackers, thieves, and other hoodlums. Sniffers are, in fact, just another tool. (Many of them are freely available—to anyone—for download.) Yes, they can be used to capture information and passwords that don’t belong to you, but they can also be used to diagnose network problems or to pinpoint the failing part of an IP connection.

One reason sniffers aren’t as dangerous as they once were is because most important data these days is encrypted. Public, non-encrypted services are rapidly disappearing from the Internet. People who used to telnet into shell accounts to check their e-mail (sending their passwords in clear, unencrypted text for all intermediate routers, hubs, and switches to see) are now using Secure Shell (SSH), which encrypts every part of the “telnet-like” session. People who log in to web sites now do so using Secure Sockets Layer (SSL), which is to web traffic what SSH is to telnet. Instead of sending sensitive data (as well as login credentials) over FTP, users are choosing to use SSL again in programs such as Secure Copy (SCP) or Secure FTP (SFTP). For other services that don’t offer encryption by default, Virtual Private Networks (VPNs) can be used to establish point-to-point encryption between a client host and a remote gateway or two remote networks.

The bottom line is this: Sniffers exist, and we know that people are going to be out there abusing them. It’s no different from tapping someone’s phone, bugging someone’s room, or simply eavesdropping on a conversation. People nose into your business on a daily basis. You have to account for that. If you’re still transmitting important data (web surfing and public downloading is usually okay to do in clear text) over the Internet unencrypted, well, you deserve what you get.

When worrying about the evil uses of sniffers, keep the following in mind:

• Sniffers must be placed on your local network or on a prominent intermediary point (such as a major router) on the Internet to be of any threat to your network.

• Today’s encryption standards make it extremely difficult to capture anything relevant—unless you’re not using encryption.

Switched networks make it more difficult (but not impossible, thanks to such tools as dsniff) for internal users to capture data on your network without being discovered. Wireless networks, however, open up a whole new can of worms (as you’ll see in Chapter 17).

Even so, it’s probably best to forget everything you know about sniffers. Yes, they can help hackers steal vital information, but many methods and tools are available to counteract that. Consider a sniffer just another tool, plain and simple, and see how even ethical and moral uses can be beneficial to us in our everyday lives.